This paper proposes a generalized framework to build large, complex systems where security guarantees can be given for the overall system's implementation. The work builds on the formally proven correct seL4 microkernel and on its fine-grained access control. This access control mechanism allows large untrusted components to be isolated in a way that prevents them from violating a defined security property, leaving only the trusted components to be formally verified. The first steps of the approach are illustrated by the formalisation of a multilevel secure access device and a proof in Isabelle/HOL that information cannot flow from one back-end network to another.
@inproceedings{Andronick_GE_10,
title = {Towards Proving Security in the Presence of Large Untrusted
Components},
author = {June Andronick and David Greenaway and Kevin Elphinstone},
booktitle = {Proceedings of the 5th Systems Software Verification},
year = {2010},
month = {oct},
address = {Vancouver, Canada},
editor = {Gerwin Klein and Ralf Huuck and Bastian Schlich},
publisher = {USENIX}
}